---
# Configuration for the ipsilon webapp

- name: install needed packages
  package: name={{ item }} state=present update_cache=yes
  with_items:
  - ipsilon
  - ipsilon-openid
  - ipsilon-saml2
  - ipsilon-openidc
  - ipsilon-authgssapi
  - ipsilon-authform
  - ipsilon-authpam
  - ipsilon-infosssd
  - ipsilon-infofas
  - ipsilon-theme-Fedora
  - ipsilon-tools-ipa
  - mod_auth_openidc
  - mod_auth_gssapi
  - python3-psycopg2
  - python3-pam
  # For the openid api extension
  - python3-freeipa
  # For the playbook itself
  - git
  - krb5-workstation
  tags:
  - ipsilon
  - packages

- name: Download Fedora-specific code
  git:
    repo: https://pagure.io/fedora-infra/ipsilon-fedora.git
    dest: /opt/ipsilon-fedora
    version: "{{ env }}"
    force: yes
  register: git_update
  tags:
  - ipsilon

- name: Install Fedora-specific code
  command:
    cmd: ./install.sh
    chdir: /opt/ipsilon-fedora
  when: git_update is changed
  tags:
  - ipsilon

- include_role:
    name: ipa/client

- name: Get admin ticket
  shell: echo "{{ipa_admin_password}}" | kinit admin
  check_mode: no
  tags:
  - ipsilon

- name: Install ipsilon
  command:
    cmd: ipsilon-server-install
         --root-instance
         --admin-user=admin
         --ipa=yes
         --openidc=yes
         --openid=yes
         --saml2=yes
         --info-sssd=yes
         --form=yes
    creates: /etc/ipsilon/root/ipsilon.conf
  tags:
  - ipsilon

- name: Destroy admin ticket
  command: kdestroy -A
  tags:
  - ipsilon

- name: make sure /etc/ipsilon/root is owned correctly
  file:
    path: "/etc/ipsilon/root"
    owner: ipsilon
    group: ipsilon
    state: directory
    mode: 0700
  tags:
  - ipsilon
  - config

- name: copy ipsilon configuration
  template:
    src: "ipsilon.conf"
    dest: "/etc/ipsilon/root/ipsilon.conf"
    owner: ipsilon
    group: ipsilon
    mode: 0600
  tags:
  - ipsilon
  - config
  notify:
  - restart apache

- name: copy ipsilon admin configuration
  template:
    src: "configuration.conf"
    dest: "/etc/ipsilon/root/configuration.conf"
    owner: ipsilon
    group: ipsilon
    mode: 0600
  tags:
  - ipsilon
  - config
  notify:
  - restart apache

- name: copy ipsilon OIDC client config
  copy:
    src: "{{ private }}/files/ipsilon/openidc.{{env}}.static"
    dest: /etc/ipsilon/root/openidc.static.cfg
    owner: ipsilon
    group: ipsilon
    mode: 0600
  tags:
  - ipsilon
  - config
  notify:
  - restart apache

- name: copy ipsilon httpd config
  template:
    src: "httpd.conf.j2"
    dest: /etc/ipsilon/root/idp.conf
  tags:
  - ipsilon
  - config
  notify:
  - restart apache

- name: copy OIDC private key
  copy:
    src: "{{ private }}/files/ipsilon/openidc{{ env_suffix }}.key"
    dest: /etc/ipsilon/root/openidc.key
    owner: ipsilon
    group: ipsilon
    mode: 0600
  tags:
  - ipsilon

- name: create SAML2 dir
  file:
    path: /etc/ipsilon/root/saml2
    state: directory
    mode: 0700
    owner: ipsilon
    group: ipsilon
    setype: httpd_var_lib_t
  tags:
  - ipsilon

- name: copy SAML2 private key
  copy:
    src: "{{ private }}/files/saml2/{{ env }}/keys/idp.key"
    dest: /etc/ipsilon/root/saml2/idp.key
    owner: ipsilon
    group: ipsilon
    mode: 0600
  tags:
  - ipsilon

- name: copy SAML2 public key
  copy:
    src: "{{ private }}/files/saml2/{{ env }}/keys/idp.crt"
    dest: /etc/ipsilon/root/saml2/idp.crt
    owner: ipsilon
    group: ipsilon
    mode: 0644
  tags:
  - ipsilon

- name: copy saml2 metadata script
  template:
    src: prepare-saml2-metadata.py
    dest: /usr/local/bin/prepare-saml2-metadata
    owner: root
    group: root
    mode: 0755
  tags:
  - ipsilon

- name: generate the saml2 metadata
  become_user: ipsilon
  become: yes
  command:
    cmd: /usr/local/bin/prepare-saml2-metadata
    creates: /etc/ipsilon/root/saml2/metadata.xml
  tags:
  - ipsilon

- name: set sebooleans so ipsilon can talk to the db
  seboolean:
    name: httpd_can_network_connect_db
    state: true
    persistent: true
  tags:
  - ipsilon

- name: set sebooleans so ipsilon can talk to IPA for the openid extension
  seboolean:
    name: httpd_can_network_connect
    state: true
    persistent: true
  tags:
  - ipsilon

- name: set sebooleans so ipsilon can talk to sssd
  seboolean:
    name: httpd_dbus_sssd
    state: true
    persistent: true
  tags:
  - ipsilon

- name: set sebooleans so ipsilon can use python-pam
  seboolean:
    name: "{{ item }}"
    state: true
    persistent: true
  loop:
  - httpd_tmp_exec
  - httpd_mod_auth_pam
  tags:
  - ipsilon

- name: apply selinux type to the wsgi file
  file:
    dest: /usr/libexec/ipsilon
    setype: httpd_sys_content_t
  tags:
  - ipsilon

- name: copy SSSd configuration
  template:
    src: sssd.conf
    dest: /etc/sssd/sssd.conf
    owner: root
    group: root
    mode: 0600
  tags:
  - ipsilon
  - config
  notify:
  - restart sssd
